AWS Security Blog

AWS Achieves FedRAMP High JAB Provisional Authorization

FedRAMP logo

We are pleased to announce that AWS has received a FedRAMP High JAB Provisional Authorization to Operate (P-ATO) from the Joint Authorization Board (JAB) for the AWS GovCloud (US) Region. The new Federal Risk and Authorization Management Program (FedRAMP) High JAB Provisional Authorization is mapped to more than 400 National Institute of Standards and Technology (NIST) security controls. This P-ATO recognizes AWS GovCloud (US) as a secure environment on which to run highly sensitive government workloads, including Personally Identifiable Information (PII), sensitive patient records, financial data, law enforcement data, and other Controlled Unclassified Information (CUI).

This is an exciting evolution of cloud computing usage within the U.S government. It demonstrates that more agencies and governments can and are using AWS to better protect and secure their sensitive data and critical workloads. It also indicates the growing demand of the U.S. government for the advanced security and control features that AWS provides. To date, more than 2,000 government customers worldwide have utilized AWS. We anticipate this High baseline P-ATO will broaden the use of AWS in civilian, defense, and state governments.

FedRAMP is a U.S. government–wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The FedRAMP High JAB Provisional Authorization applies to nonclassified technology systems under the Federal Information Security Management Act (FISMA), with “High” meaning that the loss of confidentiality, integrity, or availability of that data could be expected to have a severe or catastrophic effect on organizational operations, assets, or individuals.

“We’re excited to launch the FedRAMP High JAB Provisional Authorization , and to recognize AWS as among the first cloud providers to achieve the most rigorous FedRAMP level to date. FedRAMP High takes the same ‘do once, use many times’ approach to cloud security controls. The FedRAMP High JAB Provisional Authorization will be important for civilian agencies, the Department of Defense (DoD), the Department of Veterans Affairs (VA), and other agencies to use the cloud for more-sensitive data,” said Matthew Goodrich, FedRAMP Director, GSA’s Office of Citizen Services and Innovative Technologies (OCSIT).

This authorization continues AWS’s commitment to customer security and compliance requirements, and applies to the AWS GovCloud (US) Region, including Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), Amazon Simple Storage Service (S3), AWS Identity and Access Management (IAM), and Amazon Elastic Block Store (EBS). Launched in 2011, the AWS GovCloud (US) Region is isolated and designed to host sensitive workloads in the cloud. In addition to FedRAMP, AWS GovCloud (US) adheres to U.S. International Traffic in Arms Regulations (ITAR), Criminal Justice Information Services (CJIS) requirements, and Levels 2 and 4 of Department of Defense systems. To learn more about AWS’s FedRAMP compliance, see FedRAMP Compliance.

If you have additional questions about FedRAMP, please contact us, or if you would like to learn more about compliance in the cloud, see our AWS Cloud Compliance page.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.


Chad Woolf

Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud, compliance with complex privacy regulations such as GDPR and operating a trade and product compliance team in conjunction with global region expansion. Prior to joining AWS, Chad spent 12 years with Ernst & Young as a Senior Manager working directly with Fortune 100 companies consulting on IT process, security, risk, and vendor management advisory work, as well as designing and deploying global security and assurance software solutions. Chad holds a Masters of Information Systems Management and a Bachelors of Accounting from Brigham Young University, Utah. Follow Chad on Twitter.